Improve new device login protection language

Ask the Community Password Manager
, , ,
1

Hello. About a month ago I received a notice from BitWarden that they are going to start requiring 2FA emails in order to access the vault. I do not agree to this, and if this is actually mandatory I will most likely stop using BitWarden. However, I did not stop using BitWarden, because the announcement specifically said

image
image1324Ă—429 75.9 KB

Had I not been given this promise in your announcement, I could have spent the last month transitioning away from BitWarden or switching to self-hosting. But I trusted you, so I did not do this.

Today neither my phone nor my desktop app will let me into my password vault. It first asks me if I have reliable access to my email, and when I say no, it brings me to a screen where the only option is to set up a different 2FA method.

The user guide I find on this subject says that to take the non-recommended opt out, I “Opt-out of this feature from the Settings → My account screen in the Danger Zone section.” However, the desktop app (2025.2.0 from Linux x86_64 FlatHub) does not have this option, it does not even have a Danger Zone section. Meanwhile, the Android app has no access to settings at all, I can only access the 2FA setup screen. None of this matches with the claims you made ahead of time.

One thing that I wonder is if possibly, when your guide refers to “The settings → my account screen”, you are referring to the website (e.g. the “web vault”). I have never logged in on your website, and I never will. To me the point of Bitwarden is that Bitwarden Inc, the company, never gets hold of my master password in cleartext. Although I believe I can safely trust your desktop/phone app, downloaded to a device I control from a trusted source such as the Play Store, there is no way you can convince me a web page can be made safe enough to type my very valuable BitWarden master password into it. The web browser is not the same security regime as a desktop application. If use of the Web Vault is mandatory in order to access the claimed 2-step-login opt out, you should have disclosed that in your multiple previous announcements about this feature before locking people out of their own computers.

I have two devices on which I have BitWarden vaults downloaded. I would like to access my own password vault, so that I can remove my passwords from the vault and, I guess, transition to a different password manager. How can I do this? Is it possible? Your software is currently refusing to let me.

2 Likes
2

The status remains “are going to”. They had previously announced they would enable the opt-out setting before enabling device-verification to give people time to opt-out (even if not recommended) before enforcement. We are in that period right now.

Yes, that is exactly where opt-out is located. However it is not recommended to opt-out. Instead, you are better off setting up multiple MFA mechanisms.

The best instructions for transitioning can generally be found in the documentation of the product to which you are moving.

3

When you choose “Yes”, you can access your vault like before, I guess.

Maybe it is good, you’re suspicious of the web vault, as it is e.g. better to use the browser extension and the other BW apps. And everyone should make sure, not to fall victim to fake Bitwarden websites and enter their credentials there. - Apart from that, your suspicions about the web vault are unwarranted. The web vault is the main administrative place for the Bitwarden account/vault, as many core actions can only be executed in the web vault, like

  • changing your Bitwarden email address
  • changing your master password
  • setting up 2FA (email, TOTP, FIDO2/“passkeys”, DUO, Yubico OTP)
  • changing the KDF (Key Derivation Function… PBKDF2, Argon2)
  • setting up organizations or rather inviting and accepting members of your organizations (if needed)
  • deauthorizing current sessions (danger section!)
  • and other things…

I guess until the other apps got more and more of the import and export functions, that was formerly also only possible via accessing the web vault…

1 Like
4

Bitwarden, Inc. absolutely cannot read your master password in plaintext when you log in to the Web Vault. The vault.bitwarden.com site downloads JavaScript code to your computer, where the code runs only on your computer, and hashes your password beyond recognition before it is transmitted to Bitwarden’s servers.

And I have bad news for you about the Desktop app — it works the same way as the Web Vault app. The Desktop app is actually a Chromium web browser that has all of its controls (address bar, etc.) removed; inside this web browser, JavaScript code is running to process your login information, just like when you log in to the Web Vault.

The browser extensions are not much different either.

Although Bitwarden’s servers will never see your master password, if you have malware running on your devices, then that malware will have the ability to see your master password (and your vault contents), no matter which of the apss or extensions you are using.

5

I would like to add some additional notes:

  • The original announcement and the current help page claim that “Users who log in from a device where they have previously logged in are excluded” from the email-based new device verification. This is untrue, as I have previously logged in on both Android and Linux and I am locked out on both. I have confirmed this behavior with one other BitWarden user.
  • As described above, the “not recommended” opt-out is not available to me. However, according to many reports in this github issue, even for accounts which have set the opt-out, they are still locked out of their vaults and being required to use the email-based new device verification.

There seem to me to be only two possibilities. Either BitWarden rolled out the device verification with major bugs; or BitWarden lied in its announcement and help pages about device verification. I assume the former, but neither possibility speaks well to BitWarden’s trustworthiness as a software vendor.

The status remains “are going to”. They had previously announced they would enable the opt-out setting before enabling device-verification to give people time to opt-out (even if not recommended) before enforcement. We are in that period right now.

If this is true, then why am I, as well as one other person I have spoken to personally, as well as many people in the github issue above, locked out of our vaults? The email device verification is being required now. On my computer. At this moment.

the website (e.g. the “web vault”).

Yes, that is exactly where opt-out is located

But I do not use the web vault. Why did Bitwarden not disclose that the opt-out was available to web vault users only?

The best instructions for transitioning can generally be found in the documentation of the product to which you are moving.

Not to be rude, but did you read my post? I cannot export my passwords to another password manager because BitWarden will not allow me to access my passwords.

Bitwarden, Inc. absolutely cannot read your master password in plaintext when you log in to the Web Vault. The vault.bitwarden.com site downloads JavaScript code to your computer, where the code runs only on your computer

Speaking from my experience as a software developer who has shipped javascript-based in-browser cryptography, this is not correct. BitWarden could read my password by simply shipping a different JavaScript which reads my keystrokes as I enter the password. Alternately, someone who covertly takes hold of one of BitWarden’s web servers from the inside could add such a JavaScript; additionally, a compromised browser extension or one of a number of other browser-specific attack vectors could read the password. The web browser is not the same security regime as a desktop application.

(The obvious objection to what I say here is, if a bad actor could poison BitWarden’s web servers to inject bad JavaScript, they could also poison their web servers to ship me a bad binary. If this is what you are about to say, it is wrong for two reasons. First off, since the browser application is deployed to my computer “at rest”, I am able to compare the bits deployed to my computer to those deployed on other computers. If a bad actor either within BitWarden or poisoning BitWarden’s servers wanted to insert a backdoor to a particular download of the BitWarden app, there would be a risk of discovery present that is not present in the browser security regime, discouraging such attacks from being attempted. Second off, I do not download the app from the BitWarden web server. I download it from, for example, Google Play, which does an additional independent pass of verification on the binary.)

6

Okay… My interpretation of the “do you have reliable access to your email” box is that it is opting in to the “email-based device verification”. So I guess the idea is that I agree I have reliable access to my email (not really true), my account is now in a state where I can no longer deploy to new machines without the email verification but I can now extract my passwords from the machines on which they are already deployed (and use this opportunity to switch to a different password manager)…? I guess that is a solution, so thank you for your response.

It would be nice though if the BitWarden help pages accurately represented the behavior of the application.

7

Good to hear you were not actually locked out.

You had a little scare here, believing that you lost your vault. There is a lesson to be had, regardless of if you stick with Bitwarden, switch to a competitor or even revert to pencil-and-paper: backups are important. They should be created/updated with a frequency that matches the amount of data you are willing to lose. Anything needed to restore the backup (e.g. the backup password should be stored on your emergency sheet. And, you should occasionally test that your backup restores properly by importing into a temporary account or keepassxc (which can read Bitwarden’s password protected json exports).

Your distrust with browser-apps seems to stem from “supply chain attacks”. Turns out that such attacks are not just limited to web pages. Additionally, app stores do not guarantee a defense, as was made clear last December.

8

For the record, someone in administration has renamed this thread from its original title, “Locked out of BitWarden vault and claimed email opt-out does not exist”, to “Improve new device login protection language”. I do not agree with this renaming, as I am still locked out of my BitWarden vault, and the claimed email opt-out does not exist.

So first off, I am in fact still locked out— because I have not yet clicked the button saying “Yes, I can reliably click my email”, because I do not believe that statement is true. But second off, backups have nothing to do with this at all. I have a copy of my vault right here on my computer right now. The problem is the software distributed by BitWarden will not allow me to decrypt it. A backup of an encrypted file is obviously not useful without the software to decrypt it.

Your distrust with browser-apps seems to stem from “supply chain attacks”. Turns out that such attacks are not just limited to web pages

The fact that types of software other than web pages can be hacked does not mean that all types of software are equally secure. The level of confidence that browser-side js encryption provides is simply not enough for me, for this application.

9

That is simply not true. It exists in the web vault, where every other critical function is also located. (and the new device verification is not even active yet)

2025-02-26--20-59-54-vivaldi_7BQ78zZ2uW
2025-02-26--20-59-54-vivaldi_7BQ78zZ2uW932Ă—160 9.44 KB

Whether you answer “Yes…” or “No…” to this notification - the answer doesn’t change a setting here. If you answer Yes, you can access your vault as before. If you answer No, you get the dialogue you see (which tries to talk you into 2FA - and yeah, that could have been handled differently) and now you mistakenly think you “are locked out now”.

Probably you know that, but if e.g. you don’t open a new Bitwarden account to import the encrypted export, another option would be to import it with KeePassXC which can decrypt it.

And to the “web vault” question: if, for whatever reason or circumstances, your master password would get compromised - what would you do without using the web vault (the only place where you can change the BW master password)? – If your Bitwarden email address got “leaked” and you would get dozens of login attempts to your Bitwarden account - what would you do without using the web vault (the only place to change your BW email address)? etc.

10

You are so distrustful of the Web app, yet you used a Web app to register your Bitwarden account, and had no objections to entering your master password into a web form. If Bitwarden wanted to steal your master password, they would have done it then.

Neither of these claims is true (well, the first one may be technically true, but only to the extent that you refuse to let yourself into your vault):

So you are not actually looking for a solution to your problem, then? As soon as you click that button, you will gain access to your vault — if you opt out of New Device Verification, then it doesn’t matter one iota whether you have access to your email. If you are refusing to select that option on the matter of some principle (!?!?!?!?!), then I’m afraid you are just cutting off your nose to spite your face.

And if that is the core of your objection (the fact that you must click an option that contains wording you are uncomfortable with), then the new topic title is, in fact, very apropos.

11

You have twice indicated you now know how to solve your problem. If you chose not to accept our advise, I don’t know how we can help you.

Like @grb, I too feel that the updated topic title better reflects your primary complaint that the documentation does not make it clear where to find the opt-out button and that the language in the popup is unclear.

For the record, @grb, @Nail1684 and I are all customers of Bitwarden; we are not employees.

12

Okay, thank you. This actually did solve my problem. After entering my master password, but without clicking through “I can reliably access my email”, I was able to export from the menu to a secure path and import to KeePassXC. I now have a KeePassXC vault to replace my BitWarden vault and can access my passwords.

This is a real problem yes, and probably a sign I should have switched to KeePass earlier if I do not trust the web vault :frowning: I have only ever used the desktop and phone clients, and assumed that because there was a “change master password” option in the menu, that it would work if I selected it. As you say this just redirects to the website.

On the bright side, it does appear “Delete account” can be done entirely in the desktop app?

13

It can be done without even logging in.

You might keep that final export long-term, alongside the periodic exports from your new vault. One never knows if something failed to import, and you might just find it in the archives.

Hope your new vault treats you well, but if not we will be here.

14

Closing this out as a duplicate, please see: